Cisco 640-553

CISCO 640-553 IINS Implementing Cisco IOS Network Security

Practice Test
Version 1.8

Cisco 640-553: Practice Exam QUESTION NO: 1 Examine the following options, which access list will permit HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10? A. access-list 101 permittcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030 B. access-list 101permit tcp any eq 3030 C. access-list 101permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www D. access-list 101permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www Answer: D

QUESTION NO: 2 DRAG DROP

Answer:

"Pass Any Exam. Any Time." - www.actualtests.com

Ac

tua

lTe

sts

.co

m

Drag three proper statements about the IPsec protocol on the above to the list on the below.

2

Cisco 640-553: Practice Exam

QUESTION NO: 3

Answer: A

QUESTION NO: 4 The information of Cisco Router and Security Device Manager(SDM) is shown below:

"Pass Any Exam. Any Time." - www.actualtests.com

Ac

A. Roughly 50 percent B. Roughly 66 percent C. Roughly 75 percent D. Roughly 10 percent

tua

In a brute-force attack, what percentage of the keyspace must an attacker generally search through until he or she finds the key that decrypts the data?

lTe

sts

.co

m

3

Cisco 640-553: Practice Exam Within the "sdm-permit" policy map.www." .com Ac tua lTe sts . what is the action assigned to the traffic class "class-default"? A. inspect "Pass Any Exam.actualtests. Any Time.co m 4 .

Cisco 640-553: Practice Exam B.co m 5 .com Ac tua lTe sts . Any Time." .www. place the correct descriptions in the proper locations. pass Answer: B QUESTION NO: 5 DRAG DROP On the basis of the description of SSL-based VPN. Answer: "Pass Any Exam. drop C. police D.actualtests.

This ACL will prevent any host on the Internet from spoofing the inside network address as the source address for packets coming into the router from the Internet.0 will be permitted.actualtests. "Pass Any Exam.0.150.co m .Cisco 640-553: Practice Exam QUESTION NO: 6 Which description is correct based on the exhibit and partial configuration? A.16. D. All traffic destined for network 172.www. B. All traffic from network 10. C. Any Time.com 6 Ac tua lTe sts ." . Access-list 101 will prevent address spoofing from interface E0.0.0 will be denied due to the implicitdeny all.

B.Cisco 640-553: Practice Exam Answer: C QUESTION NO: 7 For the following items .actualtests. C. OOB C. Diffie-Hellman Nonce Answer: A QUESTION NO: 8 Which description about asymmetric encryption algorithms is correct? A. They use the same key for encryption and decryption of data.com 7 Ac tua lTe sts . MARS Answer: B QUESTION NO: 10 You work as a network engineer. XAUTH D." .which one can be used to authenticate the IPsec peers during IKE Phase 1? A. integrity check value C. do you know an IPsec tunnel is negotiated within the protection of which type of tunnel? "Pass Any Exam. Answer: C QUESTION NO: 9 For the following items.www. Any Time. pre-shared key B.co m . They use different keys for decryption but the same key for encryption of data. They use different keys for encryption and decryption of data. D. They use the same key for decryption but different keys for encryption of data. which management topology keeps management traffic isolated from production traffic? A. OTP B. SAFE D.

Enable Signature Default B. The enable secret password is hashed using MD5. Set the enable secret command to privilege level 5. which one determines if the IOSbased IPS feature will drop or permit traffic for a particular IPS signature engine while a new signature for that engine is being compiled? lTe sts . ISAKMP tunnel Answer: D QUESTION NO: 11 As a candidate for CCNA examination. and class maps are used to assign action to the traffic classes.co m . what does it indicate? A. Enable Default IOS Signature D." . GRE tunnel D.when editing global IPS settings. Enable Fail Opened tua Examine the following options .www. "Pass Any Exam. L2TP tunnel C. Enable Engine Fail Closed C. The enable secret password is hashed using SHA. L2F tunnel B. C. A router interface can belong to multiple zones. when you are familiar with the basic commands. D. C.actualtests. Answer: C QUESTION NO: 12 Answer: B QUESTION NO: 13 Which statement best describes Cisco IOS Zone-Based Policy Firewall? A. Any Time. The enable secret password is for accessing exec privilege level 5. The enable secret password is encrypted using Cisco proprietary level 5 encryption. Policy maps are used to classify traffic into different traffic classes. if you input the command "enable secret level 5 password" in the global mode .Cisco 640-553: Practice Exam A. E. B. The pass action works in only one direction.com 8 Ac A. B.

A zone-pair is bidirectional because it specifies traffic flowing among the interfaces within the zone-pair in both directions.actualtests." . It cannot support UDP flows.com Ac tua lTe sts . The status of TCP sessions is retained in the state table after the sessions terminate. D. B.co m Answer: C 9 . It cannot ensure each TCP connection follows a legitimate TCP three-way handshake. Answer: C QUESTION NO: 14 Which feature is a potential security weakness of a traditional stateful firewall? A.Cisco 640-553: Practice Exam D. It cannot detect application-layer attacks. QUESTION NO: 15 LAB "Pass Any Exam.www. C. Any Time.

actualtests." .co m 10 . Any Time.Cisco 640-553: Practice Exam "Pass Any Exam.www.com Ac tua lTe sts .

com Ac tua lTe sts .www." .actualtests.Cisco 640-553: Practice Exam "Pass Any Exam.co m 11 . Any Time.

whereas a privilege level supports commands available to that level and all the lower levels. whereas a privilege level requires AAA to be configured. a CLI view is used on a Catalyst switch. However. A CLI view can function withouta AAA configuration. whereas a privilege level is used on an IOS router. sts .actualtests.co m How does CLI view differ from a privilege level? 12 . D.com Ac QUESTION NO: 17 HOTSPOT tua lTe A. A CLI view supports only commands configured for that specific view. A CLI view and a privilege level perform the same function. B. A CLI view supports only monitoring commands.www. Any Time. Answer: "Pass Any Exam." . C.. whereas a privilege level allows a user to make changes to an IOS configuration.Cisco 640-553: Practice Exam Explanation: Switch1>enable Switch1#config t Switch1( config )#interface fa0/12 Switch1( config -if)# switchport mode access Switch1( config -if)# switchport port-security maximum 2 Switch1( config -if)# switchport port-security violation shutdown Switch1( config -if)#no shut Switch1( config -if)#end Switch1#copy run start QUESTION NO: 16 Answer: A .

actualtests.www. Any Time. which three types zone? "Pass Any Exam. The ACL must be applied to each vty line individually. QUESTION NO: 19 DRAG DROP On the basis of the Cisco IOS Zone-Based Policy Firewall." .Cisco 640-553: Practice Exam QUESTION NO: 18 Which statement best describes configuring access control lists to control Telnet traffic destined to the router itself? A.co m 13 .com Ac tua lTe sts Answer: D . C. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port. D. The ACL is applied to the Telnet port with the ip access-group command. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface. B. by default.

" .www.com Ac tua lTe Answer: sts .Cisco 640-553: Practice Exam Drag three proper characterizations on the above to the list on the below. "Pass Any Exam. Any Time.actualtests.co m 14 .

auto secure exec command and the SDM One-Step Lockdown wizard D. takes a message less than 2^64 bits as input and produces a 160-bit message digest D. Cisco Common Classification Policy Language configuration commands and the SDM Site-toSite VPN wizard Answer: C QUESTION NO: 22 CORRECT TEXT .Cisco 640-553: Practice Exam QUESTION NO: 20 What is the MD5 algorithm used for? A.which one accurately matches the CLI command(s) to the equivalent SDM wizard that performs similar configuration functions? A. takes a fixed-length message and produces a 128-bit message digest B. setup exec command and the SDM Security Audit wizard C. aaa configuration commands and the SDM Basic Firewall wizard B." .co m 15 .www.com Ac tua lTe sts . takes a variable-length message and produces a 128-bit message digest Answer: D QUESTION NO: 21 For the following options . "Pass Any Exam. takes a variable-length message and produces a 168-bit message digest C. Any Time.actualtests.

Any Time.com Ac tua lTe sts .www.Cisco 640-553: Practice Exam "Pass Any Exam.actualtests.co m 16 ." .

The period of time in which virtual logins are blocked as security services fully initialize C. The period of time in which virtual login attempts are blocked. A period of time when no one is attempting to log in D.com Ac tua lTe sts ." .actualtests. following repeated failed login attempts B.Cisco 640-553: Practice Exam input answer here: Answer: 1 QUESTION NO: 23 When configuring Cisco IOS login enhancements for virtual connections. what is the "quiet period"? A. The period of time between successive login attempts "Pass Any Exam.co m 17 . Any Time.www.

When the router goes into quiet mode. Command and control interface C.) A. which two types of interfaces are found on all network-based IPS sensors? (Choose two. B. C. All logins from any sources are blocked for another 193 seconds.co m . Three or more login requests have failed within the last 100 seconds. Management interface Answer: B." . Answer: A QUESTION NO: 26 If a switch is working in the fail-open mode.com 18 Ac tua lTe sts . Monitoring interface D.www. "Pass Any Exam. SSH. D.C QUESTION NO: 25 Which description is true about the show login command output displayed in the exhibit? A. Any Time. what will happen when the switch's CAM table fills to capacity and a new frame arrives? A. A copy of the frame is forwarded out all switch ports other than the port the frame was received on. any host is permitted to access the router via Telnet. since the quiet-mode access list has not been configured. Loopback interface B. and HTTP.Cisco 640-553: Practice Exam Answer: A QUESTION NO: 24 Based on the following items. The login block-for command is configured to block login hosts for 93 seconds.actualtests.

. m 19 . On the basis of the Syslog message shown.www. C.co A. This message is unimportant and can be ignored. Answer: A QUESTION NO: 27 Given the exhibit below. Any Time. Service timestamps have been globally enabled." . which two descriptions are correct? (Choose two. Answer: "Pass Any Exam. D. You are reading your Syslog server reports.) Answer: B.Cisco 640-553: Practice Exam B.actualtests. B. The frame is transmitted on the native VLAN. C. The frame is dropped.com Ac tua lTe sts . This message is a level 5 notification message. D. You are a network manager of your company.D QUESTION NO: 28 HOTSPOT . The switch sends a NACK segment to the frame's source MAC address. This is a normal system-generated information message and does not require further investigation.

com 20 Ac tua lTe sts . TACACS+ . TACACS+ .CK1 and CK3 RADIUS . Any Time. TACACS+ ." .Cisco 640-553: Practice Exam QUESTION NO: 29 What will be enabled by the scanning technology-The Dynamic Vector Streaming (DVS)? A.CK2 and CK3 RADIUS . Signature-based spyware filtering Answer: D QUESTION NO: 30 Which statement best describes the relationships between AAA function and TACACS+.www.CK2 and CK4 RADIUS . Signature-based virus filtering C.CK1 and CK4 RADIUS . whereas the enable password is not hashed (or encrypted. if the password-encryption service is not enabled). RADIUS based on the exhibit shown? A.co m .CK2 and CK4 D. Firmware-level virus detection B. TACACS+ .CK1 and CK4 Answer: B QUESTION NO: 31 The enable secret password appears as an MD5 hash in a router's configuration file. Layer 4 virus detection D. What is the reason that Cisco still support the use of both enable secret and enable passwords in a router's configuration? "Pass Any Exam.CK2 and CK3 B.actualtests.CK1 and CK3 C.

Because the enable secret password is a hash. state Answer: E "Pass Any Exam. dynamic ACL C. The enable password is present for backward compatibility. enable F. and the enable secret is used to verify that the enable password has not been modified since the hash was generated. Any Time. the enable password is used to match the password that was entered. reflexive ACL B. whereas the enable secret password is considered to be a router's private key. C. group RADIUS B. if-authenticated Answer: C. which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two. The enable password is used for IKE Phase I. Therefore. krb5 E.Cisco 640-553: Practice Exam A. The enable password is considered to be a router's public key. D." . queuing D.com Ac tua lTe sts .co m 21 . netflow E.www.E QUESTION NO: 33 Which kind of table will be used by most firewalls today to keep track of the connections through the firewall? A. it cannot be decrypted. local D. Answer: A QUESTION NO: 32 When configuring AAA login authentication on Cisco routers. B. whereas the enable secret password is used for IKE Phase II. group TACACS+ C.) A.actualtests.

Twononsecret numbers Answer: D QUESTION NO: 36 Examine the following items. Cisco ASA 5500 series security appliance Answer: D QUESTION NO: 37 Which three items are Cisco best-practice recommendations for securing a network? (Choose three. Answer: A Before a Diffie-Hellman exchange may begin. Cisco IOS router B. including firewall. Any Time. What does the option secret 5 indicate about the enable secret password? A. Twononsecret keys C." . It is encrypted using a proprietary Cisco encryption algorithm. D. B.www.actualtests. Cisco PIX 500 series security appliance C. VPN. antispyware. and antiphishing features? A. the two parties involved must agree on what? A. It is encrypted using DH group 5. which one offers a variety of security solutions. IPS. Cisco 4200 series IPS appliance D. Two secret keys B.co QUESTION NO: 35 m .com 22 Ac tua lTe sts . antivirus.) "Pass Any Exam.Cisco 640-553: Practice Exam QUESTION NO: 34 Based on the username global configuration mode command displayed in the exhibit. C. It is hashed using SHA. It is hashed using MD5. Two secret numbers D.

Cisco 640-553: Practice Exam A. Routinely apply patches to operating systems and applications. B. Disable unneeded services and ports on hosts. C. Deploy HIPS software on all end-user workstations. D. Require strong passwords, and enable password expiration. Answer: A,B,D

QUESTION NO: 38 What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc files in UNIX? A. Configuration interceptor B. Network interceptor C. File system interceptor D. Execution space interceptor Answer: A

QUESTION NO: 39 HOTSPOT ..

Answer:

"Pass Any Exam. Any Time." - www.actualtests.com

Ac

tua

lTe

sts

.co

m

23

Cisco 640-553: Practice Exam QUESTION NO: 40 Information about a managed device??s resources and activity is defined by a series of objects. What defines the structure of these management objects? A. MIB B. FIB C. LDAP D. CEF Answer: A

QUESTION NO: 41

Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied? A. to the zone-pair B. to the zone C. to the interface D. to the global service policy Answer: A

QUESTION NO: 43 Which statement is true about vishing? A. Influencing users to forward a call to a toll number (for example, a long distance or international number) B. Influencing users to provide personal information over a web page "Pass Any Exam. Any Time." - www.actualtests.com 24

Ac

tua

QUESTION NO: 42

lTe

Answer: C

sts

A. when using the established keyword, a location close to the destination point to ensure that return traffic is allowed B. an intermediate location to filter as much traffic as possible C. a location as close to the source traffic as possible D. a location as close to the destination traffic as possible

.co

m

Which location will be recommended for extended or extended named ACLs?

Cisco 640-553: Practice Exam C. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or international number) D. Influencing users to provide personal information over the phone Answer: D

QUESTION NO: 44 Which item is the great majority of software vulnerabilities that have been discovered? A. Stack vulnerabilities B. Heap overflows C. Software overflows D. Buffer overflows Answer: D

QUESTION NO: 45 CORRECT TEXT ..

"Pass Any Exam. Any Time." - www.actualtests.com

Ac

tua

lTe

sts

.co

m

25

com Ac tua lTe sts .co m 26 .www. Any Time.Cisco 640-553: Practice Exam "Pass Any Exam.actualtests." .

Rainbow table Answer: B "Pass Any Exam. Salt C.Cisco 640-553: Practice Exam input answer here: Answer: 3.www.co m 27 .com Ac tua lTe sts . Ciphertext B.actualtests.6 QUESTION NO: 46 Which one of the following items may be added to a password stored in MD5 to make it more secure? A. Cryptotext D. Any Time." .

MD5 Answer: D QUESTION NO: 49 Which algorithm was the first to be found suitable for both digital signing and encryption? A.com 28 Ac tua QUESTION NO: 48 lTe sts . MD5 "Pass Any Exam. MD65 B. XR12 D. Any Time.co m . HMAC B. RSA C.www.actualtests.Cisco 640-553: Practice Exam QUESTION NO: 47 HOTSPOT Answer: Which example is of a function intended for cryptographic hashing? A. SHA-135 C." .

co m Answer: B .Cisco 640-553: Practice Exam D. B. QUESTION NO: 51 Answer: A.CK2 and CK4 Port Scan .) .com 29 Ac tua lTe A. Top-secret B. Which statement best describes the relationships between the attack method and the result? A. CK3 and CK5 "Pass Any Exam. government place classified data into? (Choose three.B.CK1. Confidential C. C. Secret sts Which classes does the U. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows. Host-based IPS deployment requires less planning than network-based IPS.actualtests. D. Any Time. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers.D QUESTION NO: 52 With the increasing development of network. Ping Sweep . SBU D." . SHA-1 Answer: B QUESTION NO: 50 Which is the main difference between host-based and network-based intrusion prevention? A.www. various network attacks appear.S. Host-based IPS can work in promiscuous mode or inline mode.

Cisco 640-553: Practice Exam B.com.com 30 Ac tua lTe sts . secret password for the root user C.co m .D QUESTION NO: 54 What should be enabled before any user views can be created during role-based CLI configuration ? A. You must thenzeroize the keys to reset secure shell before configuring other parameters.C. Ping Sweep . C. "Pass Any Exam. CK3 and CK4 C.CK1 and CK5 Port Scan .CK1. Which description is correct when you have generated RSA keys on your Cisco router to prepare for secure device management? A.CK2.CK2. Scanning a network for active IP addresses and open ports on those IP addresses D. Ping Sweep . usernames and passwords D. B." . CK4 and CK5 D. You must then specify the general-purpose key size used for authentication with the crypto key generatersa general-keys modulus command. Performing end-user training on the use of antispyware software B. Any Time. multiple privilege levels Answer: A QUESTION NO: 55 You are a network technician at Certpaper. Using password-cracking utilities Answer: B. Allvty ports are automatically enabled for SSH to provide secure management. aaa new-model command B.www. Ping Sweep .CK2 and CK3 Port Scan . CK4 and CK5 Answer: A QUESTION NO: 53 Which three options are network evaluation techniques? (Choose three.CK1 and CK3 Port Scan . Performing virus scans C.actualtests.) A.

co m Answer: A 31 .) . The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server. C.F QUESTION NO: 58 Which are the best practices for attack mitigations? "Pass Any Exam.D." . buffer Unicode attack D. privilege escalation attack C. Trojan horse attack lTe sts What are four methods used by hackers? (Choose four. QUESTION NO: 57 Answer: A.com Ac tua A. The SSH protocol is automatically enabled. front door attacks F. the Cisco IOS image will be loaded from a secured FTPlocation. B. Any Time. social engineering attack E. When the router boots up. The Cisco IOS image file will not be visible in the output from the show flash command.B.www. D.actualtests. footprint analysis attack B. The show version command will not show the Cisco IOS image file location.Cisco 640-553: Practice Exam D. Answer: D QUESTION NO: 56 Which result is of securing the Cisco IOS image by use of the Cisco IOS image resilience feature? A.

CK2. CK6 and CK7 E. CK5. CK4. CK6 and CK8 B. CK2. CK6 and CK8 32 .co m A. Any Time.actualtests. CK3. CK3 and CK5 D.Cisco 640-553: Practice Exam Answer: A QUESTION NO: 59 DRAG DROP Answer: "Pass Any Exam. CK1. CK2." . CK2. CK5. CK3.www. sts . CK6 and CK7 C.com Ac tua lTe Drag two characteristics of the SDM Security Audit wizard on the above to the list on the below.

" .actualtests.Cisco 640-553: Practice Exam QUESTION NO: 60 The information of Cisco Router and Security Device Manager(SDM) is shown below: "Pass Any Exam.com Ac tua lTe sts . Any Time.www.co m 33 .

Cisco 640-553: Practice Exam Within the "sdm-inspect" policy map. and which traffic is matched by the traffic class "sdm-invlid-src" ? (Choose two.co m 34 .com Ac tua lTe sts .www." . what is the action assigned to the traffic class "sdm-invalidsrc".) "Pass Any Exam.actualtests. Any Time.

inspect/log D. In ECB mode. and revenue growth D. In ECB mode. C. and recovery "Pass Any Exam. traffic matched by ACL 105 C. ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block. An entity responsible for registering the private key encryption used in a PKI B. applications." . Any Time. An agency responsible for granting and revoking public-private key pairs C.actualtests. D.www. ECB mode uses the same 64-bit key to serially encrypt each 56-bit plain-text block. B. A trusted third party responsible for signing the private keys of entities in aPKIbased system Answer: C QUESTION NO: 63 Which statement is not a reason for an organization to incorporate a SAN in its enterprise infrastructure? A.B QUESTION NO: 61 Which description is true about ECB mode? A. each 56-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block.Cisco 640-553: Practice Exam A. traffic matched by ACL 104 Answer: A. A trusted third party responsible for signing the public keys of entities in aPKIbased system D. each 64-bit plain-text block is exclusive ORed (XORed) bitwise with the previous ciphertext block. To decrease the threat of viruses and worm attacks against data storage devices C. To meet changing business priorities.co m 35 . To increase the performance of long-distance replication. Answer: D QUESTION NO: 62 Which statement is true about a certificate authority (CA)? A. backup. traffic matched by the nested "sdm-cls-insp-traffic" class map B.com Ac tua lTe sts . To decrease both capital and operating expenses associated with data storage B.

) A.www. Selecting the Signature Definition File (SDF) that the router will use C. "Pass Any Exam. Selecting the inspection policy that will be applied to the interface Answer: A.B. STP D. You can click on the grey buttons below to view the different windows. UDP port 1645 Answer: A. VPN C.B. UDP port 2000 C. NAT B. Security Audit . Selecting the interface to which the IPS rule will be applied B.D QUESTION NO: 66 With which three tasks does the IPS Policies Wizard help you? (Choose three.) m . UDP port 1812 B.com 36 Ac tua lTe sts A. TCP port 2002 D." .actualtests. Any Time.Cisco 640-553: Practice Exam Answer: B QUESTION NO: 64 Which two ports are used with RADIUS authentication and authorization?(Choose two.) A.C QUESTION NO: 67 Instructions To access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that is connected to a ISR router.D QUESTION NO: 65 Answer: A. Selecting the direction of traffic that will be inspected D.co Which three statements are valid SDM configuration wizards? (Choose three.

co m 37 .You can also reposition a window by dragging it by the title bar. The "Tab" key and most commands that use the "Control"or "Escape" keys are not supported and are not necessary to complete this simulation. Any Time." .com Ac tua lTe sts .Cisco 640-553: Practice Exam Each of the windows can be minimized by clicking on the [-].www.actualtests. "Pass Any Exam.

B. FastEthernet0/0 and 0/1 are associated to the "out-zone" zone.B QUESTION NO: 70 Examine the following options . D. Any Time.com Ac tua QUESTION NO: 69 lTe Answer: A sts A. UplinkFast "Pass Any Exam. Answer: D. which Spanning Tree Protocol (STP) protection mechanism disables a switch port if the port receives a Bridge Protocol Data Unit (BPDU)? A. stores a secured copy of the Cisco IOS image in its persistent storage C. BPA attack B. enables Cisco IOS image resilience .co m What is the purpose of the secure boot-config global configuration ? 38 . Man-in-the-middle attack Answer: A. FastEthernet0/0 and 0/1 are associated to the "self" zone.) A. E. FastEthernet0/0 and 0/1 are not associated to any zone. Adaptive chosenciphertext attack C.actualtests." . backs up the Cisco IOS image from flash to a TFTP server D. FastEthernet0/1 is associated to the "out-zone" zone.Cisco 640-553: Practice Exam Which two options correctly identify the associated interface with the correct security zone? (Choose two.E QUESTION NO: 68 Observe the following options carefully. F.www.) A. FastEthernet0/0 and 0/1 are associated to the "in-zone" zone. FastEthernet0/0 is associated to the "in-zone" zone. C. takes a snapshot of the router running configuration and securely archives it in persistent storage B. which two attacks focus on RSA? (Choose all that apply. DDoS attack D.

Use logs and alerts D. Business needs B." . PKCS #10 D. Set connection limits Answer: D "Pass Any Exam. Root Guard Answer: C QUESTION NO: 71 Which Public Key Cryptographic Standards (PKCS) defines the syntax for encrypted messages and messages with digital signatures? A. PKCS #8 C. Best practices Answer: A QUESTION NO: 73 Which firewall best practices can help mitigate worm and other automated attacks? A. Segment security zones B.Cisco 640-553: Practice Exam B. PKCS #12 Answer: A Which one is the most important based on the following common elements of a network design? A.com Ac tua lTe sts QUESTION NO: 72 . Restrict access to firewalls C.www.actualtests. BPDU Guard D. Any Time. Security policy D.co m 39 . PKCS #7 B. PortFast C. Risk analysis C.

C. D. which one is perceived as a drawback of implementing Fibre Channel Authentication Protocol (FCAP)? A. It is restricted in size to only three segments. aaa authentication enable level D. It requires the implementation of IKE." . Stateful firewall B.co m 40 . It requires the use ofnetBT as the network protocol. Proxy firewall C.www.com Ac tua QUESTION NO: 76 lTe sts . aaa authentication enable default local Answer: B QUESTION NO: 77 For the following attempts. that data can be recovered from backups. which one is to ensure that no one employee becomes a pervasive security threat. Stateless firewall Answer: A Which one of the following commands can be used to enable AAA authentication to determine if a user can access the privilege command level? A. Any Time. Packet filtering firewall D.actualtests.Cisco 640-553: Practice Exam QUESTION NO: 74 For the following statements. aaa authentication enable method default B. and that information system changes do not compromise a system's security? "Pass Any Exam. Answer: D QUESTION NO: 75 Which type of firewall is needed to open appropriate UDP ports required for RTP streams? A. It relies on an underlying Public Key Infrastructure (PKI). aaa authentication enable default C. B.

CK2. Implementation security D. CK3 and CK5 C. IKE Phase 1 .CK3. 3DES C.CK2 and CK3 IKE Phase 2 .co m 41 .CK1. Diffie-Hellman Answer: A "Pass Any Exam.actualtests.CK1 and CK2 IKE Phase 2 .CK1 and CK4 IKE Phase 2 . which one is the strongest symmetrical encryption algorithm? A. CK3 and CK5 B. CK4 and CK5 D. IKE Phase 1 .CK2 and CK4 IKE Phase 2 . Strategic security planning B.Cisco 640-553: Practice Exam A. Disaster recovery C. CK4 and CK5 lTe sts . AES B.com Ac tua A. IKE Phase 1 . Any Time. Operations security Answer: D QUESTION NO: 78 Which item is the correct matching relationships associated with IKE Phase? Answer: A QUESTION NO: 79 For the following statements.www. DES D.CK1." . IKE Phase 1 .

actualtests. HBA C.Cisco 640-553: Practice Exam QUESTION NO: 80 Which protocol will use a LUN as a way to differentiate the individual disk drives that comprise a target device? A. ATA D. Any Time. iSCSI Answer: A QUESTION NO: 81 "Pass Any Exam.com Ac tua lTe sts ." .co m The information of Cisco Router and Security Device Manager(SDM) is shown below: 42 .www. SCSI B.

www.com Ac tua lTe sts . pop3 "Pass Any Exam." .co m 43 .actualtests.Cisco 640-553: Practice Exam Which three protocols are matched by the "sdm-cls-insp-traffic" class map? (Choose three) A. Any Time.

one at a time. The Turbo ACL feature leads to reduced latency. Fixed-length groups of digits called blocks B. with the transformations varying during the encryption "Pass Any Exam.password database on the router." .D QUESTION NO: 82 Which statement best describes the Turbo ACL feature? (Choose all that apply. It specifies the login authentication method list named console-in using the local user database on the router. B.co m . Turbo ACLs increase the CPU load by matching the packet to a predetermined list.com 44 Ac tua lTe What is the objective of the aaa authentication login console-in local command? sts .www. C. one at a time. ftp C.) A.Cisco 640-553: Practice Exam B. It specifies the login authentication list named console-in using the local username. 12tp D. C. D. The Turbo ACL feature leads to increased latency.C QUESTION NO: 83 A. because the time it takes to match the packet is fixed and consistent. Any Time. The Turbo ACL feature processes ACLs into lookup tables for greater efficiency. Individual digits. It specifies the login authorization method list named console-in using the local usernamepassword database on the router. with the transformations varying during the encryption C. It specifies the login authorization method list named console-in using the local RADIUS username-password database.B. D. because the time it takes to match the packet is variable. Answer: A QUESTION NO: 84 Stream ciphers run on which of the following? A.actualtests. Individual blocks. sql-net Answer: A. B. Answer: A.

but bandwidth is throttled until old MAC addresses are aged out. requires the Basic or Advanced Signature Definition File B.com Ac tua lTe A. D. The port's violation mode is set to restrict. what is the default action when the configured maximum of allowed MAC addresses value is exceeded? A. C. SYSLOG.co m Answer: B 45 . Changing only a few bits of a plain-text message causes theciphertext to be completely different.actualtests. Altering the key length causes theciphertext to be completely different. The MAC address table is cleared and the new MAC address is entered into the table. B.www.4(11)T and later ? ." . Answer: D "Pass Any Exam. uses Cisco IPS 5. what does creating an avalanche effect indicate? A. C. supports SDEE. Fixed-length groups of bits called blocks Answer: C QUESTION NO: 85 After enabling port security on a Cisco Catalyst switch. D. The port is shut down. QUESTION NO: 86 Answer: D QUESTION NO: 87 Regarding constructing a good encryption algorithm. Altering the key length causes the plain text to be completely different. Changing only a few bits of aciphertext message causes the plain text to be completely different.x signature format sts Which item is correct regarding Cisco IOS IPS on Cisco IOS Release 12.Cisco 640-553: Practice Exam D. and SNMP for sending Cisco IPS alerts D. The port remains enabled. uses the built-in signatures that come with the Cisco IOS image as backup C. B. Any Time.

B. C.co m 46 .actualtests. changes to theconfig-register setting C.www. Any Time. The resulting action is determined by the destination IP address and port number. The traffic is dropped. if a match is not found. The resulting action is determined by the destination IP address. thexmodem privilege EXEC mode command to recover the Cisco IOS image D. traffic is routed out interface Serial 1." . What will happen when traffic being filtered by the access list does not match the configured ACL statements for Serial 0? A. ROMMON Answer: D QUESTION NO: 90 The information of Cisco Router and Security Device Manager(SDM) is shown below: "Pass Any Exam. No ACL is applied to Interface Serial 1 on the same router. and.com Ac tua lTe sts .Cisco 640-553: Practice Exam QUESTION NO: 88 A standard access control list has been configured on a router and applied to interface Serial 0 in an outbound direction. password encryption service B. Answer: A QUESTION NO: 89 What will be disabled as a result of the no service password-recovery command? A. D. The source IP address is checked.

www. sdm-permit-icmpreply "Pass Any Exam.com Ac tua lTe sts ." .actualtests. Any Time.Cisco 640-553: Practice Exam Which poicy map is associated to the "adm-zp-in-out" security zone pair? A.co m 47 .

which three parameters do you configure? (Choose three. requesting that devices on that subnet send ping replies to a target system.co m . It sends ping requests to a subnet." .) "Pass Any Exam. Any Time. adm-permit C.actualtests. It uses Trojan horse applications to create a distributed collection of "zombie" computers. sdm-insp-traffic Answer: B QUESTION NO: 91 HOTSPOT Answer: QUESTION NO: 92 Which statement is true about a Smurf attack? A. It sends ping requests in segments of an invalid size. which can be used to launch a coordinatedDDoS attack. D. C.www. B.Cisco 640-553: Practice Exam B.com 48 Ac tua lTe sts . It intercepts the third step in a TCP three-way handshake to hijack a session. sdm-inspect D. Answer: C QUESTION NO: 93 When using the Cisco SDM Quick Setup Siteto-Site VPN wizard.

Transform set for theIPsec tunnel D." .D QUESTION NO: 94 On the basis of the show policy-map type inspect zone-pair session command output provided in the exhibit. Interface for the VPN connection Answer: A. This is an outbound policy (applied to traffic sourced from the more secured zone destined to the less secured zone). Answer: A QUESTION NO: 95 Which name is of the e-mail traffic monitoring service that underlies that architecture of IronPort? "Pass Any Exam.actualtests.B. This is an inbound policy (applied to traffic sourced from the less secured zone destined to the more secured zone).Cisco 640-553: Practice Exam A. Any Time. D. IP address for the remote peer C.www. C. Stateful packet inspection will be applied only to HTTP packets that also match ACL 110. B. All packets will be dropped since the class-default traffic class is matching all traffic.co m 49 .What can be determined about this Cisco IOS zone based firewall policy? A.com Ac tua lTe sts . Source interface where encrypted traffic originates B.

www. With the method command C. With the methodaaa command B. Any Time.." . With a method statement Answer: C .com Ac tua lTe sts QUESTION NO: 97 CORRECT TEXT .co m 50 . "Pass Any Exam.actualtests. TrafMon C. With a method list D. SenderBase B. IronPort M-Series D. E-Base Answer: A QUESTION NO: 96 How do you define the authentication method that will be used with AAA? A.Cisco 640-553: Practice Exam A.

Any Time.co m 51 .www." .actualtests.Cisco 640-553: Practice Exam "Pass Any Exam.com Ac tua lTe sts .

which access control list would prevent IP address spoofing of these internal networks? "Pass Any Exam. You are the network security administrator responsible for router security.actualtests.www. From the default rules shown.Cisco 640-553: Practice Exam Answer: 4 QUESTION NO: 98 Refer to the exhibit." . Any Time. Your network uses internal IP addressing according to RFC 1918 specifications.com Ac tua input answer here: lTe sts .co m 52 .

Cisco 640-553: Practice Exam Answer: D QUESTION NO: 99 A.CK4.com 53 Ac tua lTe Please choose the correct matching relationships between the cryptography algorithms and the type of algorithm.CK2. CK4 and CK5 Asymmetric . SDM_Default_196 D. sts ." . CK3 and CK6 C. CK3 and CK6 B. CK5 and CK6 "Pass Any Exam. CK4 and CK5 Asymmetric .CK1. CK2 and CK3 Asymmetric .actualtests.co m A. Any Time.www. Symmetric . SDM_Default_197 B.CK1. SDM_Default_198 . Symmetric . SDM_Default_199 C. Symmetric .CK2.CK1.

Symmetric . Based on the VPN connection shown.Cisco 640-553: Practice Exam D." . Traffic that matches access list 103 will be protected.www. It should be configured as a DynamicIPsec policy.co m .com 54 Ac tua lTe sts . VPN access device D. CK3 and CK4 Answer: A QUESTION NO: 100 For the following items. Answer: A QUESTION NO: 102 As a network engineer at Certpaper. B. Tunnel Answer: B QUESTION NO: 101 Refer to the exhibit.CK2. This VPN configuration will not work because the tunnel IP and peer IP are the same.com.actualtests. The tunnel is down because the transform set needs to include the Authentication Header parameter. which one acts as a VPN termination device and is located at a primary network location? A. Broadband service B. Which will be necessarily taken into consideration when implementing Syslogging in your network? "Pass Any Exam.CK1. you are responsible for Certpaper network. Headend VPN device C. Any Time. C. which statement is true? A. The tunnel is down as result of being a static rule. D. CK5 and CK6 Asymmetric .

Pervasive secure MAC address D. used between the initiator and the responder to establish a basic security policy C. Gatekeeper Answer: D "Pass Any Exam.co m 55 . D. used to verify the identity of the peer B. Dynamic secure MAC address C. Enable the highest level ofSyslogging available to ensure you log all possible event messages. Gateway D. Application server C. Static secure MAC address B." .com Ac tua A. Use SSH to access yourSyslog information. used for asymmetric public key encryption lTe sts . B. C. Answer: D QUESTION NO: 103 Which type of MAC address is dynamically learned by a switch port and then added to the switch's running configuration? A. Any Time. Syncronize clocks on the network with a protocol such as Network Time Protocol.Cisco 640-553: Practice Exam A.www.actualtests. used to establish a symmetric shared key via a public key exchange process D. MCU B. Sticky secure MAC address Answer: D QUESTION NO: 104 What is the objective of Diffie-Hellman? Answer: C QUESTION NO: 105 Which VoIP components can permit or deny a call attempt on the basis of a network's available bandwidth? A. Log all messages to the system buffer so that they can be displayed when accessing the router.

the outbound and inbound access rules (ACL entries) D.com Ac tua lTe sts . TCP sequencing information." .www. port numbers. "Pass Any Exam. and additional flags for each TCP or UDP connection associated with a particular session C.co m 56 . Any Time. the inside private IP address and the translated inside global IP address B. the source and destination IP addresses.Cisco 640-553: Practice Exam QUESTION NO: 106 Which information is stored in the stateful session flow table while using a stateful firewall? A.actualtests. all TCP and UDP header information only Answer: B QUESTION NO: 107 CORRECT TEXT .

www.com Ac tua lTe sts .actualtests." .co m 57 . Any Time.Cisco 640-553: Practice Exam "Pass Any Exam.

co m 58 . 512 bits Answer: B "Pass Any Exam. 256 bits D. which is the Cisco minimum recommended modulus value? A. Any Time.www.actualtests.com Ac tua lTe sts . 2048 bits B." . 1024 bits C.Cisco 640-553: Practice Exam input answer here: Answer: 3 QUESTION NO: 108 When configuring SSH.

profile-based C. Integrity Answer: D QUESTION NO: 112 Which method is of gaining access to a system that bypasses normal security measures? A. D.C sts A.) .actualtests." .co m Which two statements are correct regarding a Cisco IP phone??s web access feature? (Choose two. Authentication D. rule-based D. Any Time. Confidentiality C. B. protocol analysis-based Answer: A QUESTION NO: 110 Which option ensures that data is not modified in transit? A. Creating a back door "Pass Any Exam. It can provide IP address information about other servers in the network. based on the UCM user database. C. It is enabled by default.Cisco 640-553: Practice Exam QUESTION NO: 109 Which type of intrusion prevention technology will be primarily used by the Cisco IPS security appliances? A. It requires login credentials. It uses HTTPS. signature-based B.www. Conducting social engineering C.com 59 Ac tua QUESTION NO: 111 lTe Answer: A. Authorization B. Starting a Smurf attack B. .

B.www.C.D QUESTION NO: 115 Which two primary port authentication protocols are used with VSANs? (Choose two. CHAP C.co m Answer: A. Pass B. DHCHAP D. Asymmetric algorithms are based on more complex mathematical computations. ESP Answer: B. Any Time.) . Only symmetric algorithms have a key exchange technology built in. Flow C. Inspect QUESTION NO: 114 Answer: B. Only asymmetric algorithms have a key exchange technology built in.D 60 . Launching aDoS attack Answer: C QUESTION NO: 113 Which two actions can be configured to allow traffic to traverse an interface when zone-based security is being employed? (Choose two." .) A.actualtests.Cisco 640-553: Practice Exam D.) A. Asymmetric algorithms are used quite often as key exchange protocols for symmetric algorithms. C. lTe sts Which three are distinctions between asymmetric and symmetric algorithms? (Choose all that apply.C "Pass Any Exam.com Ac tua A. D. SPAP B. Allow D.

co m Which statement is correct regarding the aaa configurations based on the exhibit provided? .www. tua lTe sts . which action will be taken first ? A.Cisco 640-553: Practice Exam QUESTION NO: 116 When configuring role-based CLI on a Cisco router." B. D. C.com 61 Ac A. B. The authentication method list used by thevty port is named test. The authentication method list used by the console port is named test.actualtests. no users will be able to establish a Telnet session with the router. Answer: C QUESTION NO: 117 Answer: A QUESTION NO: 118 Which one of the aaa accounting commands can be used to enable logging of both the start and stop records for user terminal sessions on the router? A. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command. D. aaa accounting exec start-stop tacacs+ C. C." . aaa accounting connection start-stop tacacs+ B. If the TACACS+ AAA server is not available. Create a parser view called "root view. console access to the router can be authenticated using the local database. Enable the root view on the router. aaa accounting network start-stop tacacs+ "Pass Any Exam. Log in to the router as the root user. aaa accounting system start-stop tacacs+ D. If the TACACS+ AAA server is not available. Any Time.

policy management Answer: A .actualtests.www. D. It validates the fact that a packet is either a connection request or a data packet belonging to a connection.com Ac QUESTION NO: 121 HOTSPOT tua lTe sts .Cisco 640-553: Practice Exam Answer: B QUESTION NO: 119 What is a static packet-filtering firewall used for ? A." .co m 62 . B. which feature is the foundation of Cisco Self-Defending Network technology? A. secure connectivity C. secure network platform B. Answer: "Pass Any Exam. C.. It analyzes network traffic at the network and transport protocol layers. Answer: C QUESTION NO: 120 For the following options. threat control and containment D. It keeps track of the actual communication process through the use of a state table. Any Time. It evaluates network packets for valid data at the application layer before allowing connections.

co m 63 . Any Time.com Ac tua lTe sts . Answer: "Pass Any Exam.www.actualtests.Cisco 640-553: Practice Exam QUESTION NO: 122 DRAG DROP Which three common examples are of AAA implementation on Cisco routers? Please place the correct descriptions in the proper locations." .

which Tasks button permits you to configure such features as SSH. Interfaces and Connections B. between which two devices EAPOL messages typically are sent? A." . Between the supplicant and the authenticator B. Security Audit D. Between the supplicant and the authentication server "Pass Any Exam. Additional Tasks Answer: D QUESTION NO: 124 In an IEEE 802.com Ac tua If you click the Configure button along the top of Cisco SDM??s graphical interface. SNMP. Intrusion Prevention C.actualtests.www. Any Time. NTP.Cisco 640-553: Practice Exam QUESTION NO: 123 A.co m 64 .1x deployment. and syslog? lTe sts . Between the authenticator and the authentication server C.

or both have been properly backed up and secured? A. show file systems D.Cisco 640-553: Practice Exam D." . You can click on the grey buttons below to view the different windows. the configuration files. show archive B.www. Between the RADIUS server and the authenticator Answer: A QUESTION NO: 125 Which one of the Cisco IOS commands can be used to verify that either the Cisco IOS image. show flash C. Each of the windows can be minimized by clicking on the [-].actualtests. Any Time.co m Answer: D 65 . The "Tab" key and most commands that use the "Control"or "Escape" keys are not supported and are not necessary to complete this simulation. lTe sts . show securebootset QUESTION NO: 126 "Pass Any Exam.com Ac tua Instructions To access the Cisco Router and Security Device Manager(SDM) utility click on the console host icon that is connected to a ISR router.You can also reposition a window by dragging it by the title bar.

co m 66 . Traffic not matched by any of the class maps within that policy map will be inspected "Pass Any Exam.Cisco 640-553: Practice Exam Which statements is correct regarding the "sdm-permit" policy map? A." .com Ac tua lTe sts . Any Time.www.actualtests.

CK3 C. Policy-based detection Answer: A Please choose the correct description about Cisco Self-Defending Network characteristics.co m 67 .CK1 COLLABORATIVE . That policy map is applied to traffic sourced from the "self" zone and destined to the "out-zone" zone. INTEGRATED .www.CK3 COLLABORATIVE . C.CK1 ADAPTIVE . INTEGRATED ." . Traffic matching the "SDM_CA_SERVER" traffic class will be dropped.CK3 B. Honey pot detection D. D.CK2 ADAPTIVE .com Ac tua lTe sts QUESTION NO: 128 .CK1 Answer: A "Pass Any Exam. Answer: B QUESTION NO: 127 Which key method is used to detect and prevent attacks by use of IDS and/or IPS technologies? A.CK2 COLLABORATIVE . Anomaly-based detection C. Traffic matching the "sdm-access" traffic class will be inspected.CK2 COLLABORATIVE .actualtests. INTEGRATED . Signature-based detection B. A.CK2 ADAPTIVE .Cisco 640-553: Practice Exam B. Any Time.CK1 D. INTEGRATED .CK3 ADAPTIVE .

" . Any Time.com Ac tua lTe sts .co m 68 .Cisco 640-553: Practice Exam QUESTION NO: 129 DRAG DROP Answer: Explanation: QUESTION NO: 130 DRAG DROP Answer: "Pass Any Exam.www.actualtests.

actualtests.www.Cisco 640-553: Practice Exam Explanation: QUESTION NO: 131 DRAG DROP Answer: Explanation: "Pass Any Exam.co m 69 . Any Time." .com Ac tua lTe sts .

Any Time." .Cisco 640-553: Practice Exam QUESTION NO: 132 DRAG DROP Answer: Explanation: "Pass Any Exam.co m 70 .www.com Ac tua lTe sts .actualtests.

"Pass Any Exam.actualtests. Any Time.Cisco 640-553: Practice Exam QUESTION NO: 133 DRAG DROP Answer: QUESTION NO: 134 DRAG DROP Match the descriptions on the left with the IKE phases on the right." .www.com Ac tua lTe sts .co m 71 .

actualtests." .Cisco 640-553: Practice Exam Answer: "Pass Any Exam.www.com Ac tua lTe sts .co m 72 . Any Time.

Sign up to vote on this title
UsefulNot useful